Brazil LGPD Email Marketing Consent and Purchased Lists Requirements

Email marketing in Brazil can be an effective and legitimate business activity, but it must be planned around the requirements of the Lei Geral de Proteção de Dados, commonly known as the LGPD. The law does not prohibit email marketing, nor does it ban all commercial outreach, but it does require organizations to handle personal data responsibly, transparently, and with a valid legal basis. For companies using mailing lists, lead databases, newsletter subscriptions, or third-party contacts, the key question is not simply whether an email can be sent, but whether the data used to send it was collected and processed lawfully.

Understanding the LGPD in the Context of Email Marketing

The LGPD applies to the processing of personal data in Brazil, including data used to identify or contact individuals. An email address is personal data when it identifies or can reasonably identify a person, especially in the case of business addresses such as name@company.com. Even generic corporate addresses may fall within data protection concerns if connected to an identifiable person or used in a behavioral marketing profile.

Email marketing usually involves several forms of processing: collecting email addresses, storing them in a customer relationship management system, segmenting contacts, tracking opens and clicks, sending promotional messages, and analyzing campaign performance. Each of these activities must be connected to a lawful basis under the LGPD. Organizations must also comply with core principles such as purpose limitation, adequacy, necessity, transparency, security, and accountability.

In practice, this means that a business should not treat email addresses as freely usable assets. A mailing database is not merely a commercial resource; it is a collection of personal data subject to legal obligations. The more promotional, intrusive, or unexpected the communication is, the more important it becomes to demonstrate that the recipient had a clear reason to expect that type of contact.

Consent Under the LGPD: What It Must Look Like

Consent is one of the lawful bases available under the LGPD, and it is commonly used for email newsletters, promotional offers, event invitations, lead magnets, and ongoing marketing communications. However, not all consent is valid. The LGPD defines consent as a free, informed, and unambiguous manifestation by which the data subject agrees to the processing of their personal data for a specific purpose.

This has several practical consequences for email marketing:

• Consent must be specific: A person who downloads a white paper should not automatically be subscribed to unrelated promotional campaigns unless that purpose was clearly disclosed.
• Consent must be informed: The individual should know who is collecting the data, what messages they will receive, and how their data will be used.
• Consent must be freely given: A company should avoid forcing users to accept marketing emails as a condition for accessing a service unless marketing is genuinely necessary for that service.
• Consent must be demonstrable: The organization should retain records showing when, how, and for what purpose consent was obtained.
• Consent must be revocable: The recipient must be able to withdraw consent easily, preferably through a clear unsubscribe link in every marketing email.

Pre-checked boxes, vague wording, bundled permissions, and hidden privacy notices are risky. A safer approach is to use a clear opt-in checkbox with wording such as: “I agree to receive marketing emails about products, services, and events from [Company Name]. I understand that I can unsubscribe at any time.” The consent request should be separate from acceptance of terms of service or other contractual documents.

Is Consent Always Required for Email Marketing?

The LGPD does not say that consent is the only lawful basis for marketing. In some circumstances, organizations may consider other legal bases, such as legitimate interest. However, relying on legitimate interest requires careful analysis. The company must evaluate whether its interest in sending the email is legitimate, whether the processing is necessary, and whether the rights and expectations of the recipient outweigh that interest.

For example, sending relevant communications to an existing customer about similar products or services may sometimes be supported by legitimate interest, especially where the customer reasonably expects such contact and has a simple way to opt out. Even then, the company should conduct and document a balancing test. The communication should be proportionate, not excessive, and clearly connected to the relationship with the recipient.

By contrast, cold outreach to individuals who have no relationship with the company is much more difficult to justify. The risk is higher if the email is unsolicited, the source of the data is unclear, or the message relates to sensitive topics. In such cases, consent is often the more defensible option, particularly if the business wants to build a long-term compliant marketing program.

Purchased Email Lists: A High-Risk Practice

Purchased lists are one of the most sensitive issues in LGPD email marketing compliance. They may appear attractive because they offer immediate access to a large number of contacts, but they create serious legal and reputational risks. The fact that a vendor sells a list does not mean the buyer is free to use it. Under the LGPD, the buyer may become a controller of that personal data and must be able to demonstrate a lawful basis for processing it.

Before using any purchased list, a company should ask fundamental questions:

1. How was the data collected? Was it collected directly from the individuals, scraped from public websites, obtained through partners, or compiled from multiple sources?
2. What were individuals told? Did the privacy notice clearly state that their data could be sold or shared with third parties for marketing?
3. Was consent obtained? If the vendor claims consent, does that consent specifically cover marketing emails from third-party buyers?
4. Can the vendor provide evidence? Are there records of opt-in dates, consent language, source forms, and withdrawal mechanisms?
5. Has the data been updated? Are bounced emails, unsubscribe requests, and outdated contacts removed?

If the vendor cannot answer these questions clearly, the list should be considered unreliable. A generic statement such as “all contacts are compliant” is not enough. A serious organization should require contractual warranties, audit rights, data source documentation, and indemnity clauses where appropriate. Even with these protections, the buyer remains exposed if the actual data processing does not comply with the LGPD.

Why Purchased Lists Often Fail the Consent Standard

Purchased lists frequently fail because consent, when claimed, is too broad or ambiguous. A person may have agreed to receive information from one website, event organizer, or partner, but that does not automatically mean they agreed to receive promotional emails from an unrelated company. Under the LGPD, purposes must be clear and compatible with what the data subject was told at the time of collection.

Another common problem is that lists are generated from publicly available information. Some businesses assume that if an email address appears on a website, LinkedIn profile, conference directory, or public registry, it can be freely used for marketing. This is a dangerous assumption. Public availability does not remove LGPD protection. Public data must still be processed according to the principles of purpose, good faith, necessity, and transparency.

For example, an employee’s business email listed on a company website may be intended for customer support, press inquiries, or professional contact. Using that address for mass promotional emails may fall outside the context in which it was made available. The company sending the campaign should assess whether its use is reasonable and expected, and whether it can justify the legal basis it has selected.

Transparency Requirements for Marketing Emails

Transparency is central to LGPD compliance. Recipients should not have to guess who is contacting them, why they are receiving the email, or how to stop future messages. Each marketing email should clearly identify the sender and provide a straightforward way to opt out. The message should also link to an accessible privacy notice explaining how personal data is processed.

A compliant email marketing program should include:

• Clear sender identity: The company name and contact information should be visible and accurate.
• Purpose explanation: The message should make clear that it is promotional or informational marketing.
• Unsubscribe option: Every email should include a simple, functional, and free opt-out mechanism.
• Privacy notice link: Recipients should be able to review how their data is used and what rights they have.
• Preference management: Where possible, recipients should be able to choose which types of messages they receive.

Opt-out requests should be honored promptly. Continuing to email someone after they unsubscribe can create compliance issues and damage trust. Businesses should also maintain suppression lists to ensure that unsubscribed contacts are not re-imported through future uploads, sales team spreadsheets, or newly purchased databases.

Data Subject Rights and Marketing Databases

The LGPD gives individuals several rights over their personal data. In the context of email marketing, these rights may include confirmation of processing, access to data, correction of inaccurate information, deletion of unnecessary or excessive data, portability in some cases, information about sharing, and revocation of consent. Organizations must have internal processes to respond to these requests within appropriate timeframes and with sufficient clarity.

Marketing teams should be trained to recognize privacy requests. A reply such as “remove me from your database” may not be just a routine unsubscribe; it may be a request for deletion or revocation of consent. Companies should ensure that customer support, sales, and marketing teams know how to route such requests to the appropriate privacy or legal function.

Recordkeeping and Accountability

The LGPD places strong emphasis on accountability. It is not enough to claim compliance; organizations must be able to demonstrate it. For email marketing, this means keeping records that show the source of each contact, the legal basis used, consent logs where applicable, privacy notice versions, unsubscribe history, and vendor documentation.

Useful records may include:

• date and time of subscription;
• method of opt-in, such as website form, event registration, or account setting;
• wording of the consent notice shown to the individual;
• IP address or technical confirmation where appropriate;
• source of contact data;
• campaign categories the person agreed to receive;
• date and method of consent withdrawal or unsubscribe.

These records are especially important if the company receives complaints, is questioned by the Brazilian data protection authority, or needs to prove that a third-party list was used lawfully. Good documentation also helps prevent operational mistakes, such as emailing contacts for a purpose that exceeds their original permission.

Practical Compliance Steps for Brazilian Email Campaigns

Companies operating in Brazil or targeting Brazilian individuals should adopt a structured compliance approach before launching campaigns. First, map the data flow: identify where contacts come from, where they are stored, which tools process them, and who has access. Second, define the lawful basis for each type of marketing communication. Third, review all collection forms, landing pages, and event registrations to ensure the language is clear and specific.

For purchased or third-party lists, the safest approach is often to avoid them unless the organization can verify the data source and permissions with confidence. If a list is used, conduct due diligence on the provider, obtain written evidence of compliance, and consider sending only limited, carefully worded communications that provide immediate transparency and an easy opt-out. Even then, the company should recognize that purchased lists frequently generate complaints, low engagement, spam reports, and deliverability problems.

It is also advisable to implement double opt-in for newsletters and high-volume promotional campaigns. While not expressly required in all cases, double opt-in provides stronger evidence that the email address owner intended to subscribe. This can be particularly valuable where the organization relies on consent and wants to reduce the risk of fake or mistyped subscriptions.

Final Considerations

Email marketing under the LGPD is not simply a matter of adding an unsubscribe link. It requires a disciplined approach to lawful basis, transparency, consent management, vendor control, and respect for individual rights. Purchased lists deserve particular caution because the buyer must be able to prove that the data can lawfully be used for the intended marketing purpose.

Organizations that invest in permission-based marketing are likely to build stronger, more sustainable relationships with Brazilian audiences. A smaller list of people who clearly agreed to receive relevant communications is usually more valuable than a large database of uncertain origin. In a regulatory environment focused on accountability and trust, responsible data practices are not only a legal obligation; they are a serious business advantage.